Have you ever needed a user to quickly pop into their FileMaker solution and not become disconnected when switching networks or putting the device to sleep? This is a common request for FileMaker Go users, but can also be useful for desktop users who keep their solution open all day. There are a couple different ways to make this work, but as I found out recently, there are also some things to keep in mind when you are troubleshooting.
For the purpose of this blog post I am going to focus on FileMaker Go files since that's the use case that I have run into the most. The two approaches to dealing with this requirement are storing the user’s credentials and using the extended privilege ‘fmreauthenticate'.
Storing Credentials in the Keychain
(Credentials Manager in Windows, Keychain in iOS or Mac OS X)
Using the keychain makes it easy for a user to open a closed database as well as re-open one that's disconnected. In this scenario, the keychain will store the credentials for logging into the solution. This means the user can open the database connection without being required to enter their FileMaker credentials. The good part, as my wife would tell you, is that you don’t have to keep entering that darn password. The bad part is the risk of someone gaining access to the device that could compromise a database. If you use this approach, be sure your device is locking itself, or you have a very insecure database.
Locking itself? For security it's important to note anyone with access to the device or computer in an unlocked state would have easy access to files protected by the managed keychain. For that reason it's important to make sure the device requires passcode locking and have the device set to lock and sleep appropriately when not attended. This can be done by using the passcode/fingerprint id to control access to the device. Check the documentation for the device your users will be using, if you plan on going this route. If the iOS device is under mobile device management (MDM), this can be enforced.
For configuring the keychain, FileMaker Go has a great help guide for setting this up on the device, as well as configuring the passcode or touchID for FileMaker Go 15.
Fmreauthenticate Privilege Set
Although the Keychain can help with passing credentials, sometimes the user wants to stay logged in. They don’t want to be forced to re-navigate to the layout/record they had been on prior to getting logged out or perhaps you don’t want to take the risk of a user not having their iOS device configured to require a passcode. This is where adding extended privileges to the solution can help.
Adding extended privileges and assigning them can be done by opening the solution’s security settings and selecting extended privileges. By default, there's an extended privilege set called ‘fmreauthenticate10’. The 10, on the end, means anyone with this extended privilege, will not be required to re-authenticate for 10 minutes, as long as they don’t actually close the database. This can be changed by duplicating or creating a new extended privilege set and naming it ‘fmreauthenticate’, then changing the number to reflect the number of minutes before the user must re-enter their credentials. The maximum length of time you can use is 10080 minutes (one week). See FileMaker help page for more info.
Things to Keep in Mind
Here are some things to keep in mind when using fmreauthenticate. If an extended privilege is assigned to more than one privilege set, it will default to the more restrictive extended privilege. For instance, if you had a ‘Manager’ privilege set, assigned both the ‘fmreauthenticate10’ and a ‘fmreauthenticate60’ extended privileges, the user will be required to re-authenticate after 10 minutes of inactivity (the more restrictive of the two). This one is worth checking, since there's no warning for double entry. In a multi-file solution, where each file’s resources are governed by their own permission settings, you would want to make sure that the privilege set used has the same settings for extended privileges in each solution; i.e. users of the ‘Manager’ privilege set have the ‘fmreauthenticate10’ extended privilege in an ‘Invoicing' file, but ‘fmreauthenticate60’ in the ‘Mobile Invoicing’ file. The ‘Mobile Invoicing’ file uses the ‘Invoicing’ file as an external data source for some of its table occurrences. After 10 minutes of inactivity, the user of the ‘Manager’ privilege set will be forced to re-enter their credentials since it's following the extended privileges of any file dependencies from the ‘Invoice’ file.